Clarification (7/17/08)

At Icrontic we respect the right of software and hardware manufacturers to comment on our pieces to ensure that their products are being evaluated in a fair and accurate manner. Should a manufacturer choose to respond we will post their comments verbatim.

As such we were contacted by nTrance after publication with a few counter-points to this review:

Thank you for review.

I have found some minor mistakes.

1. “The authentication box for n-Pass has no timeout and offers unlimited login attempts.” Timeout, as well as other security settings can be set by user

2. “A simple brute-force hammering of the login box could be executed” – Even if security settings were not defined, a brute-force attach for normal 6 symbols password will take years. Every failed attempt take few seconds.

3. EVD functionality is actually provided not for encryption of flash drive, but rather for creation of encrypted disk on the PC. I n this case a flash drive with n-Pass installed is used as a crypto-token enabling this function.

4. There is another option of encryption of files for someone. Try to import attached file to the contact section of n-Pass. You will see a new option in the content menu (n-Crypt->n-Crypt a copy for or n-Crypt and e-mail to…)

In regards to the login box, we yield that the user does have some control: You can opt to destroy all personal information after n failed password attempts, lock the screen (WIN+L) after n minutes, or lock the application after n minutes. When n-Pass is in a locked state, only information entered during the installation phase can be auto-filled. You will be prompted for your master password to save sites or fill sensitive information.

However we do stand by our opinion that this is not enough when it comes to a security suite billed to protect credit card and social security numbers. Defeating a locked screen stands as a trivial effort with today’s tools, and the destruction of personal data for the sake of security is a drastic measure which ignores the merits of a more secure system. The additional claim that a brute force attack would take years is incomprehensibly bold, as the generation of a precomputed dictionary out to eleven characters from the EN-US keyset takes less than a week to generate. Attempts on the login box took less than a few seconds to perform by hand, leaving us to wonder how quickly a computer could do it with sufficient time.

Although nTrance claims that EVD is not for use on flash drives, their own EVD wizard clearly indicates that the utility is designed to encrypt partitions, zip disks and flash drives. In relation we found no ability for this drive to be used as a crypto-key as described. With or without the flash drive we continued to use the n-Pass program unhindered.

Lastly, we did indeed overlook the ability to use RSA-2048 public key encryption to mail protected files to people in the contact list managed by n-Pass. Incoveniently, however, this functionality can only be used with Outlook Express and did not offer support for web clients which are growing in popularity.

Discuss this review in our forums.

« Previous

Pages: 1 2 3

Tags: applications, security